21 Jan 2014

Compromised WordPress Sites Serve Aggressive Spam Bot That Hides in Plain Sight

A new spam bot that evades scrutiny by hiding key information in a sea of traffic is spreading rapidly with the support of compromised WordPress web sites, according to Softpedia News.

The malware is said to be particularly aggressive, similar to Cutwail and is served using drive-by downloads. Also after infecting a network, it barely attempts to hide its presence.

Once infected by the malware, the device is abused to allow distribution of other threats.

The network communication from the infected machine uses three created “svhost.exe” processes. An unusual facet of the bot’s command and control communications is how it hides more important information by using a large amount of traffic.

Judging from a sample of addresses and ports, the bot most commonly uses the port 25 for unauthorized spam to clients, according to a report released by Dell.